When you SSH into a server, the SSH client automatically looks for and uses SSH keys stored in your system. Understanding which key is used can help troubleshoot connection issues and manage secure access effectively.
SSH Key Loading Process
The client attempts to authenticate using SSH keys in this order:
1. Command-line specified key (if using -i option)
ssh -i ~/.ssh/specific_key user@server
2. Keys listed in SSH config (if IdentityFile is specified)
The SSH client configuration file (~/.ssh/config) lets you specify which keys to use for which hosts:
Host myserver
HostName myserver.com
User myuser
IdentityFile ~/.ssh/my_custom_key
If this file exists, SSH will prioritize the IdentityFile specified for that host instead of the default keys.
3. Default SSH Key Files in ~/.ssh/:
id_rsa(Private Key - RSA)
The SSH client checks the following key files in order of priority:
1. On Linux/macOS (~/.ssh/ directory)
~/.ssh/id_rsa(Private Key - RSA)~/.ssh/id_ecdsa(Private Key - ECDSA)~/.ssh/id_ed25519(Private Key - Ed25519)~/.ssh/id_dsa(Private Key - DSA, deprecated due to weak security)
2. On Windows (OpenSSH)
- OpenSSH on Windows follows the same convention and looks in
C:\Users\<username>\.ssh\.
SSH Agent
The SSH agent is a program that caches your decrypted private keys in memory, allowing you to:
- Enter your passphrase only once per session
- Use different keys for different servers without manual intervention
Start the agent with:
eval $(ssh-agent)
Add keys to the agent with:
ssh-add ~/.ssh/your_key
Agent forwarding (use with caution)
ssh -A user@hostname
Remember that agent forwarding should be used sparingly as it increases your attack surface.
Detailed Key Loading Sequence:
-
The SSH client reads the configuration from:
- System-wide config (/etc/ssh/ssh_config)
- User-specific config (~/.ssh/config)
-
For each authentication attempt, the client:
- Checks if the private key file exists
- Verifies file permissions (must be 600 for private keys)
- Attempts to decrypt the key if it's passphrase-protected
- Presents the corresponding public key to the server
-
The server checks authorized_keys:
- Looks in ~/.ssh/authorized_keys for the connecting user
- Compares the presented public key with stored keys
- If matched, generates a challenge encrypted with the public key
- Client decrypts with private key to prove ownership
Checking Which SSH Key is Being Used
To check which SSH key is being used when connecting to a server, run:
ssh -v user@server.com
To list all SSH keys currently loaded in the SSH agent:
ssh-add -L
If no keys are found, you may need to start the SSH agent and add your key manually:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa
Important Security Considerations:
-
File Permissions:
- ~/.ssh directory should be 700 (drwx------)
- Private keys should be 600 (-rw-------)
- authorized_keys should be 600 (-rw-------)
-
Key Types:
- Prefer ed25519 keys (ssh-keygen -t ed25519)
- RSA keys should be at least 4096 bits
- Avoid DSA keys (insecure)
-
Passphrase Protection:
- Always use passphrases for private keys
- Use ssh-agent to avoid frequent passphrase entry
Summary
- SSH automatically reads key files from
~/.ssh/in order of priority. - The
~/.ssh/configfile can override default key selection. - Use
ssh -vto debug which key is being used. - The SSH agent manages loaded keys, and
ssh-addcan be used to add new ones.
Understanding these mechanisms will help you better manage SSH authentication and troubleshoot key-related issues. 🚀